MidnightBSD

Advisories for cmu

CVE-1999-0799 HIGH

Buffer overflow in bootpd 2.4.3 and earlier via a long boot file location.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
cmu bootpd *
CVE-2011-1926 MEDIUM

The STARTTLS implementation in Cyrus IMAP Server before 2.4.7 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
cmu cyrus_imap_server 2.2.12
cmu cyrus_imap_server 2.2.13
cmu cyrus_imap_server 2.3.4
cmu cyrus_imap_server 2.3.3
cmu cyrus_imap_server 2.3.15
cmu cyrus_imap_server 2.3.13
cmu cyrus_imap_server 2.3.14
cmu cyrus_imap_server 2.1.16
cmu cyrus_imap_server 2.4.1
cmu cyrus_imap_server 2.3.16
cmu cyrus_imap_server 2.1.17
cmu cyrus_imap_server 2.3.0
cmu cyrus_imap_server 2.4.5
cmu cyrus_imap_server 2.0.17
cmu cyrus_imap_server 2.4.0
cmu cyrus_imap_server 2.3.1
cmu cyrus_imap_server 2.3.5
cmu cyrus_imap_server 2.3.11
cmu cyrus_imap_server 2.3.2
cmu cyrus_imap_server *
cmu cyrus_imap_server 2.4.2
cmu cyrus_imap_server 2.2.10
cmu cyrus_imap_server 2.2.9
cmu cyrus_imap_server 2.3.12
cmu cyrus_imap_server 2.2.8
cmu cyrus_imap_server 2.2.13p1
cmu cyrus_imap_server 2.1.18
cmu cyrus_imap_server 2.2.11
cmu cyrus_imap_server 2.3.6
cmu cyrus_imap_server 2.3.8
cmu cyrus_imap_server 2.3.9
cmu cyrus_imap_server 2.3.10
cmu cyrus_imap_server 2.4.4
cmu cyrus_imap_server 2.3.7
cmu cyrus_imap_server 2.4.3
CVE-2011-3208 HIGH

Stack-based buffer overflow in the split_wildmats function in nntpd.c in nntpd in Cyrus IMAP Server before 2.3.17 and 2.4.x before 2.4.11 allows remote attackers to execute arbitrary code via a crafted NNTP command.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
cmu cyrus_imap_server 2.2.12
cmu cyrus_imap_server 2.2.13
cmu cyrus_imap_server 2.3.4
cmu cyrus_imap_server 2.3.3
cmu cyrus_imap_server 2.3.15
cmu cyrus_imap_server 2.3.13
cmu cyrus_imap_server 2.3.14
cmu cyrus_imap_server 2.2.14
cmu cyrus_imap_server 2.4.8
cmu cyrus_imap_server 2.4.6
cmu cyrus_imap_server 2.1.16
cmu cyrus_imap_server 2.4.1
cmu cyrus_imap_server 2.4.10
cmu cyrus_imap_server 2.4.9
cmu cyrus_imap_server 2.4.7
cmu cyrus_imap_server 2.1.17
cmu cyrus_imap_server 2.3.0
cmu cyrus_imap_server 2.4.5
cmu cyrus_imap_server 2.0.17
cmu cyrus_imap_server 2.4.0
cmu cyrus_imap_server 2.3.1
cmu cyrus_imap_server 2.3.5
cmu cyrus_imap_server 2.3.11
cmu cyrus_imap_server 2.3.2
cmu cyrus_imap_server *
cmu cyrus_imap_server 2.4.2
cmu cyrus_imap_server 2.2.10
cmu cyrus_imap_server 2.2.9
cmu cyrus_imap_server 2.3.12
cmu cyrus_imap_server 2.2.8
cmu cyrus_imap_server 2.2.13p1
cmu cyrus_imap_server 2.1.18
cmu cyrus_imap_server 2.2.11
cmu cyrus_imap_server 2.3.6
cmu cyrus_imap_server 2.3.8
cmu cyrus_imap_server 2.3.9
cmu cyrus_imap_server 2.3.10
cmu cyrus_imap_server 2.4.4
cmu cyrus_imap_server 2.3.7
cmu cyrus_imap_server 2.4.3
CVE-2011-3481 MEDIUM

The index_get_ids function in index.c in imapd in Cyrus IMAP Server before 2.4.11, when server-side threading is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted References header in an e-mail message.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
cmu cyrus_imap_server 2.2.12
cmu cyrus_imap_server 2.2.13
cmu cyrus_imap_server 2.3.4
cmu cyrus_imap_server 2.3.3
cmu cyrus_imap_server 2.3.15
cmu cyrus_imap_server 2.3.13
cmu cyrus_imap_server 2.3.14
cmu cyrus_imap_server 2.4.8
cmu cyrus_imap_server 2.4.6
cmu cyrus_imap_server 2.1.16
cmu cyrus_imap_server 2.4.1
cmu cyrus_imap_server 2.3.16
cmu cyrus_imap_server 2.4.9
cmu cyrus_imap_server 2.4.7
cmu cyrus_imap_server 2.1.17
cmu cyrus_imap_server 2.3.0
cmu cyrus_imap_server 2.4.5
cmu cyrus_imap_server 2.0.17
cmu cyrus_imap_server 2.4.0
cmu cyrus_imap_server 2.3.1
cmu cyrus_imap_server 2.3.5
cmu cyrus_imap_server 2.3.11
cmu cyrus_imap_server 2.3.2
cmu cyrus_imap_server *
cmu cyrus_imap_server 2.4.2
cmu cyrus_imap_server 2.2.10
cmu cyrus_imap_server 2.2.9
cmu cyrus_imap_server 2.3.12
cmu cyrus_imap_server 2.2.8
cmu cyrus_imap_server 2.2.13p1
cmu cyrus_imap_server 2.1.18
cmu cyrus_imap_server 2.3.17
cmu cyrus_imap_server 2.2.11
cmu cyrus_imap_server 2.3.6
cmu cyrus_imap_server 2.3.8
cmu cyrus_imap_server 2.3.9
cmu cyrus_imap_server 2.3.10
cmu cyrus_imap_server 2.4.4
cmu cyrus_imap_server 2.3.7
cmu cyrus_imap_server 2.4.3
CVE-2013-4122 MEDIUM

Cyrus SASL 2.1.23, 2.1.26, and earlier does not properly handle when a NULL value is returned upon an error by the crypt function as implemented in glibc 2.17 and later, which allows remote attackers to cause a denial of service (thread crash and consumption) via (1) an invalid salt or, when FIPS-140 is enabled, a (2) DES or (3) MD5 encrypted password, which triggers a NULL pointer dereference.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
cmu cyrus-sasl 2.1.23
cmu cyrus-sasl 2.1.22
cmu cyrus-sasl 2.1.24
cmu cyrus-sasl *
cmu cyrus-sasl 2.1.20
cmu cyrus-sasl 1.5.28
cmu cyrus-sasl 2.1.21
cmu cyrus-sasl 2.1.19
cmu cyrus-sasl 2.1.25
CVE-2014-0027 LOW

The play_wave_from_socket function in audio/auserver.c in Flite 1.4 allows local users to modify arbitrary files via a symlink attack on /tmp/awb.wav. NOTE: some of these details are obtained from third party information.

CVSS 2.0

Severity: LOW

Problem Type: CWE-59,

Products Affected

Vendor Product Version
cmu flite 1.4
CVE-2014-7723 MEDIUM

The Carnegie Mellon Silicon Valley (aka edu.cmu.sv.mobile) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
cmu carnegie_mellon_silicon_valley 0.1
CVE-2022-31506 MEDIUM

The cmusatyalab/opendiamond repository through 10.1.1 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.3 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L 3.9 4.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
cmu opendiamond *
CVE-2025-27092

GHOSTS is an open source user simulation framework for cyber experimentation, simulation, training, and exercise. A path traversal vulnerability was discovered in GHOSTS version 8.0.0.0 that allows an attacker to access files outside of the intended directory through the photo retrieval endpoint. The vulnerability exists in the /api/npcs/{id}/photo endpoint, which is designed to serve profile photos for NPCs (Non-Player Characters) but fails to properly validate and sanitize file paths. When an NPC is created with a specially crafted photoLink value containing path traversal sequences (../, ..\, etc.), the application processes these sequences without proper sanitization. This allows an attacker to traverse directory structures and access files outside of the intended photo directory, potentially exposing sensitive system files. The vulnerability is particularly severe because it allows reading arbitrary files from the server's filesystem with the permissions of the web application process, which could include configuration files, credentials, or other sensitive data. This issue has been addressed in version 8.2.7.90 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
cmu ghosts *
CVE-2026-22188

Panda3D versions up to and including 1.10.16 deploy-stub contains a denial of service vulnerability due to unbounded stack allocation. The deploy-stub executable allocates argv_copy and argv_copy2 using alloca() based directly on the attacker-controlled argc value without validation. Supplying a large number of command-line arguments can exhaust stack space and propagate uninitialized stack memory into Python interpreter initialization, resulting in a reliable crash and undefined behavior.

Products Affected

Vendor Product Version
cmu panda3d *
CVE-2026-22189

Panda3D versions up to and including 1.10.16 egg-mkfont contains a stack-based buffer overflow vulnerability due to use of an unbounded sprintf() call with attacker-controlled input. When constructing glyph filenames, egg-mkfont formats a user-supplied glyph pattern (-gp) into a fixed-size stack buffer without length validation. Supplying an excessively long glyph pattern string can overflow the stack buffer, resulting in memory corruption and a deterministic crash. Depending on build configuration and execution environment, the overflow may also be exploitable for arbitrary code execution.

Products Affected

Vendor Product Version
cmu panda3d *
CVE-2026-22190

Panda3D versions up to and including 1.10.16 egg-mkfont contains an uncontrolled format string vulnerability. The -gp (glyph pattern) command-line option is used directly as the format string for sprintf() with only a single argument supplied. If an attacker provides additional format specifiers, egg-mkfont may read unintended stack values and write the formatted output into generated .egg and .png files, resulting in disclosure of stack-resident memory and pointer values.

Products Affected

Vendor Product Version
cmu panda3d *